[jbossws-dev] [Design of JBoss Web Services] - Re: What do we need in terms of x509 cert processing for ws
scott.stark@jboss.org
do-not-reply at jboss.com
Mon Oct 23 15:21:41 EDT 2006
"jason.greene at jboss.com" wrote :
| 1. Ability to generate a v3 cert, bouncy castle does support this. Right now I tell people to use openssl.
|
We should just look at whether bouncy castle/ejbca can be leveraged to get a sufficient cert generation capability into our codebase.
"jason.greene at jboss.com" wrote :
| 2. Support for subject key identifier code follows (Although, ideally all v3 attributes would be supported)
|
|
| | public static byte[] getSubjectKeyIdentifier(X509Certificate cert)
| | {
| | // Maybee we should make one ourselves if it isn't there?
| | byte[] encoded = cert.getExtensionValue("2.5.29.14");
| | if (encoded == null)
| | return null;
| |
| | // We need to skip 4 bytes [(OCTET STRING) (LENGTH)[(OCTET STRING) (LENGTH) (Actual data)]]
| | int trunc = encoded.length - 4;
| |
| | byte[] identifier = new byte[trunc];
| | System.arraycopy(encoded, 4, identifier, 0, trunc);
| |
| | return identifier;
| | }
| |
|
Access to any raw attribute seems to exist. What is not generally available is a mechanism to control how to decode a given attribute. I would assume this is going to require ASN/DER classes (should exist in bc or even opends), along with a OID to format handler registry. The latter is core to ldap and so maybe we can leverage the opends schema handling pieces as a way to externalize the cert attribute handling as well.
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3980154#3980154
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3980154
More information about the jbossws-dev
mailing list